NordVPN Breach: How Bug Bounty Programs Can Help And Resolve

By   ISBuzz Team
Writer , Information Security Buzz | Oct 22, 2019 06:06 am PST

NordVPN, the virtual private network provider, today confirmed it was hacked through an expired, exposed, and outdated internal private key. VPN providers are becoming significantly popular due to providing security and are used frequently by users in hostile environments.

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Ted Shorter
Ted Shorter , CTO
InfoSec Expert
October 23, 2019 1:43 pm

Hackers gained access to the system at NordVPN that contained this, and at least one other sensitive encryption key. That’s bad, but history has shown us that given enough time and resources, hackers can often find their way into high-value targets: breaches such as this have happened in 2019 more times than I can count. However, a defense-in-depth strategy could have at least prevented the hackers from stealing the private keys.

Last edited 3 years ago by Ted Shorter
Grant McCracken
Grant McCracken , Director, Solutions Architecture
InfoSec Expert
October 22, 2019 2:10 pm

What you think is your perimeter, is not your perimeter — it’s a whole lot bigger than you think. Nobody operates in or as a self-contained system, everyone is leveraging a litany of other web assets whether that’s data servers, third party plugins/addons, WordPress hosts, or even just run-of-the-mill AWS or Azure resources.

Everyone lives in a complicated state of a billion dependencies, and each one of these further extends a given organization’s attack surface. And with this, oftentimes, companies are left unaware of their full exposure/footprint, and thus cannot protect it.

To help protect one’s ever-changing attack surfaces and landscape, I recommend implementing an open scope bounty program where researchers can report vulnerabilities- even if it’s something as simple as exposed keys on a Pastebin blob. The important thing here is offering cash incentives to ensure that there’s a driver for individuals to report these vulnerabilities, rather than leaving them in the open for someone else to deal with. Ostensibly, a number of other people saw these keys on the message board where they were posted, but it appears that nobody had the motivation to report them immediately. Offering incentives to researchers (or even bystanders who witness these things) to report things like this is an effective and important piece in making sure that any organization is a little more secure in the wild.

Last edited 3 years ago by Grant McCracken

Recent Posts

Would love your thoughts, please comment.x